b'                      ort\n\n\n\n\n          YEAR 2000 COMPUTING PROBLEM REPORTS:\n                    AUGUST 1997 REPORT\n\n\n\nReport No. 98-077                         February l&1998\n\n\n\n\n              Office of the Inspector General\n                  Department of Defense\n\x0c   Additional Copies\n   To obtain additional copies of this audit report, contact the Secondary Reports\n   Distribution Unit of the Analvsis. Planninn. and Technical Support Directorate at\n   (703) 604-8937 (DSN 664-8937)\xe2\x80\x98or FAX 7703) 604-8932.            **\n\n   Suggestions for Future Audits\n   To suggest ideas for or to request future audits, contact the Planning and\n   Coordination Branch of the Analysis, Planning, and Technical Support\n   Directorate at (703) 604-8908 (DSN 664-8908) or FAX (703) 604-8932. Ideas\n   and requests can also be mailed to:\n                       OAIG-AUD (ATTN: APTS Audit Suggestions)\n                       Inspector General, Department of Defense\n                       400 Army Navy Drive (Room 801)\n                       Arlington, Virginia 22202-2884\n\n   Defense Hotline\n   To report fraud, waste, or abuse, contract the Defense Hotline by calling\n   (800) 424 9098; by sending an electronic message to\n   Hotline@DODIG.OSD.MIL; or by writing to the Defense Hotline, The\n   Pentagon, Washington, D. C. 20301- 1900. The identity of each writer and caller\n   is fully protected.\n\n\n\n\nAcronyms\nCIO                  Chief Information Officer\nOMB                  Office of Management and Budget\nY2K                  Year 2000\n\x0c                                      INSPECTOR GENERAL\n                                      DEPARTMENT OF DEFENSE\n                                        400 ARMY NAVY DRIVE\n                                      ARLINGTON. VIRGINIA 22202\n\n\n\n\n                                                                               February 18, 1998\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL,\n               COMMUNICATIONS, AND INTELLIGENCE)\n\nSUBJECT: Audit Report on DOD Year 2000 Computing Problem Reports: August 1997\n         Report (Report No. 98-077)\n\n\n        We are providing this audit report for information and use. This report is the first of a\nseries, the primary purpose of which is to provide the DOD Chief Information Officer and\nother senior DOD managers with an independent assessment of DOD progress, including\nidentifying areas of concern, related to its year 2000 efforts.\n       We considered management comments on a draft of this report when preparing the final\nreport. Comments on the draft of this report conformed to the requirements of DOD Directive\n7650.3 and left no unresolved issues. Therefore, no additional comments are required.\n\n        We appreciate the courtesies extended to the audit staff. Questions on the audit should\nbe directed to Ms. Mary Lu Ugone, Audit Program Director, at (703) 604-9049\n(DSN 664-9049); Mr. James W. Hutchinson, Audit Project Manager, at (703) 604-9060\n(DSN 664-9060); or Mr. Timothy J. Harris, Audit Team Leader, at (703) 604-9053. If\nmanagement requests, we will provide a formal briefing on the audit results. See Appendix D\nfor the report distribution. The audit team members are listed inside the back cover.\n\n\n\n\n                                             Robert J. Lieberman\n                                          Assistant Inspector General\n                                                 for Auditing\n\x0c                           Office of the Inspector General, DOD\n\nReport No. 98-077                                                    February 18, 1998\n  (Project No. 7RE-6023)\n\n      Year 2000 Computing Problem Reports: August 1997 Report\n\n                                  Executive Summary\n\nIntroduction. Information technology systems have typically used two digits to\nrepresent the year, such as \xe2\x80\x9c97\xe2\x80\x9d representing 1997, to conserve electronic data storage\nand reduce operating costs. With the two-digit format, however, the year 2000 is\nindistinguishable from 1900. As a result of that ambiguity, computers and associated\nsystems and application programs that use dates to calculate, compare, and sort could\ngenerate incorrect results when working with years after 1999.\n\nThis is one of a series of reports being issued by the Inspector General, DOD, in\naccordance with an informal partnership with the Chief Information Officer, DOD, to\nmonitor DOD efforts to address the year 2000 computing challenge.\n\nAudit Objectives. The overall audit objective was to evaluate the DOD year 2000\noversight actions and reports submitted to the Office of Management and Budget.\nSpecifically, we determined whether the DOD quarterly reports to the Office of\nManagement and Budget were reasonable and accurate. We also evaluated the internal\nreporting requirements and process used by DOD to monitor and oversee the DOD year\n2000 efforts.\n\nAudit Results. The DOD Component August 1997 reports on year 2000 did not\nprovide all the required information and were not fully reliable. Accordingly, DOD\ndoes not yet have an adequate baseline to effectively measure its year 2000 progress.\nThe audit results are detailed in Part I.\n\nSummary of Recommendations. We recommend an update to the DOD Year 2000\nManagement Plan that reflects changes in reporting requirements and includes adequate\nprocedures on how year 2000 quarterly reports should reconcile.\n\nManagement Comments. The Acting Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) concurred with the recommendation and\nstated that the revised DOD Year 2000 Management Plan, which is planned to be issued\nin February 1998, would be updated as recommended.\n\x0cTable of Contents\n\nExecutive Summary\n\nPart I - Audit Results\n      Audit Background                                              2\n      Audit Objectives                                              4\n      Year 2000 Information Technology System Reporting             5\n\nPart II - Additional Information\n      Appendix A. Audit Process\n        Scope and Methodology                                       12\n      Appendix B. Prior Coverage and Related Publications           13\n      Appendix C. DOD Component August 1997 Reports                 18\n      Appendix D. Report Distribution                               19\n\nPart III - Management Comments\n      Office of Assistant Secretary of Defense (Command, Control,\n         Communications, and Intelligence) Comments                 24\n\x0cPart I - Audit Results\n\x0cAudit Background\n    The year 2000 (Y2K) problem is rooted in the way dates are recorded and\n    computed in information technology systems. For the past several decades,\n    computer systems have typically used two digits to represent the year, such\n    as \xe2\x80\x9c97\xe2\x80\x9d representing 1997, to conserve on electronic data storage and reduce\n    operating costs. With the two-digit format, however, the Y2K is\n    indistinguishable from 1900. As a result of the ambiguity, computers and\n    associated system and application programs that use dates to calculate, compare,\n    or sort could generate incorrect results when working with years after 1999.\n\n    DOD Y2K Management Strategy. In his role as the DOD Chief Information\n    Officer (CIO), the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) issued the \xe2\x80\x9cDOD Year 2000 Management\n    Plan\xe2\x80\x9d (the Plan) in April 1997. The Plan provides the overall DOD strategy and\n    guidance for inventorying, prioritizing, fixing, or retiring systems, and for\n    monitoring progress. According to the Plan, the CIO has overall responsibility\n    for overseeing the DOD solution to the Y2K problem. Each DOD Component is\n    responsible for awareness, assessment, renovation, validation, and\n    implementation action. The Plan includes a description of the five-phase Y2K\n    management process and designates the Defense Integration Support Tools\n    database as the official repository of DOD Component information technology\n    systems data.\n\n            The Five-Phase Management Process. Each of the five phases listed\n    below represents a major Y2K program activity or segment. Target completion\n    dates range from December 1996 through November 1, 1999.\n\n                  l Phase I - Awareness. Organization and planning take place.\n    Target completion date: December 1996.\n\n                   l Phase II - Assessment.   Scope of Y2K impact is identified and\n    system level analyses take place. Target completion date: June 1997.\n\n                  l Phase III - Renovation. Required system fixes are accomplished.\n\n    Target completion date: December 1998.\n\n                  l  Phase IV - Validation. Systems are confirmed as Y2K compliant\n    through assorted testing and compliance processes. Target completion date:\n    January 1999.\n\n                    l Phase V - Implementation. Systems are fully operational after\n\n    being certified as Y2K compliant. Target completion date: November 1, 1999.\n\n           Defense Integration Support Tools Database. Originally designed to\n    support the planning and execution of the DOD automated information system\n\n                                        2\n\x0cmigration strategy, the Defense Integration Support Tools database was selected\nto provide DOD-wide Y2K-related information that DOD managers could use to\ntrack and monitor the transition to Y2K compliance of mission-critical and other\ndesignated systems. The Defense Integration Support Tools database,\nmaintained by the Defense Information Systems Agency, contains data on\ndesignated DOD Component information technology systems. The information\nincludes hardware platforms, operating systems, applications languages,\ncommunications, and interfaces.\n\nY2K Reporting Requirements. DOD Components are required to submit Y2K\nquarterly reports to the CIO to satisfy both DOD and Office of Management and\nBudget (OMB) requirements.\n\n         DOD Reporting Requirements. On March 12, 1997, the CIO issued\nthe memorandum \xe2\x80\x9cYear 2000 Refined Reporting Requirements for DOD,\xe2\x80\x9d\nwhich established minimum, quarterly reporting requirements for Y2K\nassessment and progress across DOD. The purpose of the reporting requirement\nwas to provide the CIO of DOD and CIOs of DOD Components with the\nvisibility necessary to ensure a thorough and successful transition to Y2K\ncompliance for all DOD systems. The DOD Components are required to report\nthe status of their Y2K efforts to the CIO of DOD each quarter, beginning\nApril 18, 1997. The CIO of DOD identified 23 DOD Components that are\nrequired to report on the status of systems that have been entered into the\nDefense Integration Support Tools Database. The information reported is\nintended to show the status of DOD Y2K efforts and is being used by the CIO of\nDOD to perform oversight for DOD Y2K efforts and to fulfill OMB reporting\nrequirements at the DOD level.\n\n        OMB Reporting Requirements. On May 7, 1997, OMB issued the\n\xe2\x80\x9cMemorandum on Computer Difficulties Due to the Year 2000 -- Progress\nReports. \xe2\x80\x9d The purpose of the memorandum is to provide Y2K progress reports\nto Congress and the public. It requires heads of selected Government agencies\nto report on the status of Y2K efforts each quarter, with the initial report due\nMay 15, 1997. Each agency is required to report on mission-critical systems,\nincluding information on the number of systems that are Y2K compliant, being\nreplaced, being repaired, and being retired. As of July 3 1, 1997, DOD reported\n3,695 mission-critical systems to OMB. Of those systems, 652 were already\nY2K compliant, 267 were to be replaced, 2,593 were being repaired, and 183\nwere to be retired. The total cost of the DOD Y2K effort was estimated\nat $1.4 billion. In addition, DOD reported that, to date, no DOD Component\nhas reported delayed schedules for mission-critical systems. Appendix C\ncontains the supporting data of the August 1997 Y2K report, which was\nsubmitted to OMB on August 15, 1997.\n\n\n\n\n\xe2\x80\x98The 23 DOD Components include all Defense agencies and the Services. Some\n of the smaller DOD agencies are consolidated into 1 of the 23 DOD\n Components.\n\n                                    3\n\x0cAudit Objectives\n    The overall audit objective was to evaluate the DOD Y2K oversight actions and\n    reports submitted to OMB. Specifically, we determined whether the DOD\n    quarterly reports to OMB were reasonable and accurate. We also evaluated the\n    internal reporting requirements and process used by DOD to monitor and\n    oversee DOD Y2K efforts. Because of the urgency of reporting the audit results\n    to senior DOD management, we did not formally evaluate related management\n    controls. See Appendix A for a discussion of the scope and methodology and\n    Appendix B for a summary of prior coverage.\n\n\n\n\n                                       4\n\x0c           Year 2000 Information Technology\n           System Reporting\n           The DOD Component August 1997 Y2K reports did not provide all the\n           required information and were not fully reliable. The reports lacked\n           required and reliable information because DOD did not establish clear\n           reporting guidance and requirements. Accordingly, DOD has not\n           established an adequate baseline to effectively measure its Y2K progress.\n\n\nY2K Quarterly Reporting\n    DOD Quarterly Reports to OMB. After consolidating DOD Component reports,\n    the CIO submitted the first two DOD-level reports to OMB on May 15 and\n    August 15, 1997. The following table provides a comparison of the total number\n    of mission-critical systems reported to OMB.\n\n                   Reported Status of DOD Mission-Critical Systems\n\n                                             First Quarter    Second Quarter\n                                              (Mav 1997)       (August 1997)\n\n      Total mission-critical systems            3,962              3,695\n      Already Y2K compliant                       582l               652\n      Being replaced                              4732               267\n      Being repaired                            2,752l             2,593\n      Being retired                               487l               183\n                    3\n      Undetermined                                 141\xe2\x80\x99\n\n                \xe2\x80\x98Changes anticipated as assessments are completed.\n                2Not included in total. Entries may have been reported twice\n                3Category reported only for First Quarter\n\n\n    The DOD Y2K report to OMB in August 1997 showed progress toward ensuring\n    its information technology systems are Y2K compliant. The number of\n    compliant systems increased by 70 from May to August 1997. However,\n    conclusions based on further comparison would be questionable because the\n    information used to compile the DOD report to OMB was not fully complete or\n    reliable.\n\n    Component Quarterly Reports. Although DOD Component reports were not\n    fully complete or reliable, the CIO staff stated that they were substantially more\n\n\n\n                                         5\n\x0cYear 2000 Information Technology System Reporting\n\n      complete and accurate than the first reports because the DOD Components better\n      understood the reporting requirements. However, our analyses of the August\n      1997 reports did not confirm that statement.\n\n             Completeness of Reports. The DOD Component reports did not\n      substantially improve from the previous quarter. Our analysis showed that only\n      one DOD Component submitted a complete report for May 1997. Of the 23\n      DOD Components required to submit an August 1997 report, initially, 14 were\n      incomplete, 4 were complete, and 5 did not submit a report, but instead,\n      requested that the CIO staff extract the report data from the Defense Integration\n      Support Tools database. The 14 incomplete reports were missing required Y2K\n      information such as:\n\n                     l   the number of compliant systems,\n\n                     l   the number of noncompliant systems in each of the required five\n      phases, and\n\n                     l   the cost to repair noncompliant systems\n\n      The incomplete reports were also missing infrastructure devices controlled by\n      information technology, such as personal computers, file servers, fax machines,\n      elevators, and access security systems.\n\n              Reliability of Reports. The DOD Component Y2K reports for August\n      1997 were unreliable. Of the 23 DOD Components required to submit quarterly\n      reports, 11 submitted at least one report that did not reconcile.2 The quarterly\n      reports did not reconcile because the reporting requirements memorandum that\n      the DOD CIO issued did not provide adequate procedures on how the reports\n      should balance. Further, for DOD Components that submitted a report that did\n      not reconcile, CIO staff needed to resolve discrepancies with the DOD\n      Components before a report could be submitted to OMB. The reconciliation\n      process is time-consuming and uses resources that could be better spent on CIO\n      oversight responsibilities and the Y2K effort. We believe that reporting\n      guidance, which includes sufficient reconciliation procedures, is needed in the\n      DOD Y2K Management Plan to reduce the amount of resources being expended\n      to reconcile the quarterly reports.\n\n      Procedures and Requirements for DOD Component Y2K Reports.\n      Reporting procedures and requirements for Y2K reports need to be improved to\n      increase the reliability and usefulness of the information being collected.\n\n\n\n       \xe2\x80\x98For a second quarter report to reconcile, the number of noncompliant systems\n       minus the number of systems that are being retired should equal the number of\n       systems that are placed in the five phases. However, the reconciliation\n       procedures were changed for third quarter reporting in that the number of\n       systems being replaced will also be subtracted from noncompliant systems.\n\n                                            6\n\x0c                         Year 2000 Information Technology System Reporting\n\n        Procedures for Y2K Reports. Although a comparison of the numbers\nprovided to OMB in the first two quarterly reports indicated that DOD was\nprogressing in identifying and fixing systems with Y2K problems, such a\nconclusion may be misleading because the procedures used for determining the\nnumbers reported to OMB differed substantially. The number of systems and\nthe various phases they were in were changed by the Components in response to\ncontinuing refinement in reporting procedures. For example, the Navy reported\n899 mission-critical systems for May 1997 and 289 for August 1997.\nAccordingly, meaningful comparisons between the first two quarterly reports\nsubmitted to OMB were difficult. The CIO acknowledged that different\nreporting methods were used for the August 1997 quarterly report to OMB, and\nstated that the report will provide a stable baseline against which future reports\ncan be meaningfully compared. However, we believe that the reporting\nprocedures have to be better defined in the DOD Y2K Management Plan (the\nPlan) before adequate comparison can occur between the reporting periods.\n\n        Reporting Requirements and Definitions. The wide disparity in the\nnumber of systems that the DOD Components reported (see Appendix C)\nindicates that the DOD Components did not consistently interpret the CIO\nreporting requirements. The Plan provides definitions for \xe2\x80\x9csystem\xe2\x80\x9d and\n\xe2\x80\x9cmission-critical, \xe2\x80\x9d but the definitions are nonspecific and open to interpretation.\nBecause DOD Component interpretations of those definitions were not uniform,\nthe usefulness of DOD Component reports for oversight purposes by either the\nDOD CIO or OMB was questionable.\n\n               Total Systems Reported. A Y2K system is defined in the Plan\nas:\n\n           An automated process that uses information technology such as\n           computer hardware and software to perform a specific function,\n           application, or service.\n\nThe total number of systems reported by DOD Components varied greatly. For\nexample, the Army reported 13,687 systems for August 1997, while the Navy and\nthe Air Force reported 1,970 and 2,584 systems, respectively. It is reasonable to\nconclude that the Army does not have almost seven times more information\ntechnology systems than the Navy or five times more systems than the Air Force.\nConversely, some DOD Components reported no or few systems. For example,\nthe Armed Forces Information Service and the Defense Contract Audit Agency\nreported 0 and 1 system, respectively.\n\n                Mission-Critical Systems Reported. The Plan defines\nmission-critical as:\n\n           A system that when its capabilities are degraded, the organization\n           realizes a resulting loss of a core capability.\n\nThe definition of mission-critical is important because OMB requires Y2K\ninformation for all mission-critical systems. The number of mission-critical\nsystems reported varied greatly. In the August 1997 report, DOD reported to\nOMB 3,695 mission-critical systems. One DOD Component, the National Security\n                                       7\n\x0cYear 2000 Information Technology System Reporting\n\n      Agency, reported 1,573 mission-critical systems, or about 40 percent of the total\n      number of mission-critical systems that DOD reported. In comparison, the Army,\n      the Navy, and the Air Force reported 367, 289, and 395 systems as mission\n      critical, respectively. We noted that six DOD Components judged 100 percent of\n      their systems as being mission critical, while three DOD Components reported\n      fewer than 10 percent of their systems as mission critical. Conclusively, the DOD\n      Components needed clearer definitions of reporting terminology to reduce\n      misinterpretations. DOD Components may have submitted incomplete and\n      unreliable information because of the uncertainty of which systems to report and\n      whether to report them as mission critical.\n\n      Management Action. During our audit, senior DOD officials became aware that\n      vague definitions negatively affected the usefulness and accuracy of Y2K reporting\n      and have begun to take corrective action. On October 16, 1997, the DOD Y2K\n      Steering Committee, which is composed of senior DOD managers and is chaired by\n      the Deputy Secretary of Defense, assigned the responsibility of standardizing\n      definitions for quarterly reporting to the Assistant Secretary of Defense\n      (Command, Control, Communications, and Intelligence).\n\n      Initial Data for Next Reports. According to CIO staff, initial input for the\n      next round of reports was significantly improved over the August 1997 reports.\n      Citing only one incomplete report, CIO staff stated that the DOD Components\n      submitted improved reports because reporting guidance and direction issued by\n      the CIO have become stable. We have not yet evaluated the DOD Component\n      November 1997 quarterly reports, but we agree that positive changes were made\n      to the reporting process and specific reporting procedures. The next report in\n      our series of audit reports on Y2K issues will address, if appropriate, further\n      areas of concern related to quarterly Y2K reporting.\n\n\nSummary\n      Initial problems are to be expected in establishing any new reporting process,\n      especially on a DOD-wide basis. Additionally, both OMB and DOD established\n      quarterly reporting requirements, but neither organization published specific\n      guidance on how the quarterly reports were to be formulated. Further, DOD\n      definitions provided for Y2K reporting purposes were too broad. Accordingly,\n      DOD Component reports were not fully complete or reliable. More important,\n      reporting consistency was insufficient to enable useful comparison of quarterly\n      reports.\n\n      Specific reporting guidance and requirements have evolved since the\n      requirement for quarterly reporting was established. The dissemination of that\n      guidance by CIO staff was informal; that is, by electronic mail and telephone\n      conversations. Because Y2K quarterly reporting guidance and procedures have\n      matured and stabilized, they need to be formally issued to DOD organizations.\n      We agree with CIO staff that the best mechanism for formal distribution is a\n      revised DOD Plan. The revised Plan should set forth specific procedures for\n\n\n                                           8\n\x0c                             Year 2000 Information Technology System Reporting\n\n    DOD Component Y2K reporting and include clarified definitions. Until Y2K\n    quarterly reports become stable and consistent, the reports will continue to be of\n    limited value for oversight purposes.\n\n\nManagement Comments on the Finding and Audit Response\n    Management Comments on Completeness of DOD Component Reports. The\n    Acting Assistant Secretary of Defense (Command, Control, Communications,\n    and Intelligence) provided comments on the draft report discussion of the\n    completeness of DOD Component reports, stating that the second quarterly\n    reports were more complete than the first quarterly reports, and that the\n    reporting of embedded chip information was the only \xe2\x80\x9cincomplete\xe2\x80\x9d category of\n    data not submitted by the Components. The complete text of management\n    comments is in Part III of this report.\n\n    Audit Response. We agree with the Acting Assistant Secretary that the second\n    quarterly reports were more complete than the first quarterly reports. However,\n    we continue to believe that the initial submission of incomplete reports by 14 of\n    23 DOD Components indicates substantial uncertainty and confusion about the\n    Y2K reporting process, procedures, and requirements. We do not agree that\n    embedded chip information was the only category of information not initially\n    reported. As stated in the draft report, other categories of data which were\n    initially omitted included the number of compliant systems, the number of\n    noncompliant systems in each of the five phases, and the cost to repair\n    noncompliant systems.\n\n    Management Comments on the Usefulness of Information Collected.\n    Regarding the utility of collecting numbers of personal computers and\n    communications system components, the Acting Assistant Secretary recognized\n    that some of the information required may not be ideal for oversight purposes,\n    but he believes that the collection of that information is necessary to help ensure\n    that all DOD information technology equipment is evaluated for Y2K\n    compliance.\n\n    Audit Response. In the draft report, we concluded that some data that the CIO\n    required was of little use for oversight purposes. Although the primary concern\n    of OMB personnel was mission-critical systems, they also required a brief\n    narrative summarizing progress made in other infrastructure systems that relied\n    on embedded microchips, such as elevators, security systems, and biomedical\n    devices. Within the infrastructure reporting category, the CIO also requires the\n    DOD Components to report personal computers, file servers, and\n    communications hardware and software modules. We questioned the need for\n    that additional reporting requirement as the information did not provide a gauge\n    for monitoring progress because the total number of DOD personal computers\n    and network components had not been defined. Additionally, because the DOD\n    definition of \xe2\x80\x9csystem\xe2\x80\x9d is broad and open to interpretation, DOD had no\n    assurance that the personal computers and networks reported in the\n    \xe2\x80\x9cinfrastructure\xe2\x80\x9d category were not also reported as part of other information\n    technology systems.\n                                         9\n\x0cYear 2000 Information Technology System Reporting\n\n      We continue to question whether watching aggregate numbers grow provides\n      valuable oversight information. However, upon reconsideration, we agree that\n      oversight options for ensuring that all of the information technology resources\n      for DOD are limited and that some degree of oversight is better than none.\n      Additionally, on January 20, 1998, OMB issued new quarterly reporting\n      requirements which now specifically require telecommunications systems to be\n      reported in the \xe2\x80\x9cinfrastructure\xe2\x80\x9d category. Further, on February 4, 1998, the\n      Acting Assistant Secretary\xe2\x80\x99s staff orally committed to include in the revised\n      DOD Plan specific cautions to the DOD Components about possible \xe2\x80\x9cdouble\n      counting\xe2\x80\x9d in their quarterly Y2K reports. Based on those factors, the issue was\n      omitted from our final report.\n\n\nRecommendations for Corrective Action and Management\nComments\n      Deleted Recommendation. As a result of management comments, we deleted\n      draft Recommendation 2. Draft Recommendation 1. is now unnumbered.\n\n      We recommend that the Assistant Secretary of Defense (Command,\n      Control, Communications, and Intelligence), in the role of the DOD Chief\n      Information Officer, update the DOD Year 2000 Management Plan to\n      reflect changes in reporting requirements and to include adequate\n      procedures on how year 2000 quarterly reports should reconcile.\n\n      Management Comments. The Assistant Secretary concurred and stated that\n      the DOD Y2K Management Plan would be updated accordingly. The Assistant\n      Secretary anticipates issuance of the updated Management Plan in February\n      1998. The complete text of management comments is in Part III of this report.\n\n\n\n\n                                         10\n\x0cPart II - Additional Information\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    Work Performed. We reviewed the reports that DOD Components submitted\n    to the CIO for the first and second reporting quarters, ending April 30 and\n    July 3 1, 1997, respectively. We evaluated the completeness and reliability of\n    the reports in accordance with CIO reporting requirements and the requirements\n    stated in the DOD Y2K Management Plan. We also evaluated the usefulness of\n    the report information for oversight purposes. We interviewed personnel within\n    the Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) who are responsible for issuing reporting guidance and collecting\n    the Y2K information from the DOD Components and submitting the information\n    to OMB. We also interviewed personnel within the DOD Components who are\n    responsible for the Y2K reporting. The scope of the audit was limited in that\n    we did not review the management control program because DOD has\n    acknowledged the Y2K computing problem as an area with material\n    management control weaknesses and further reporting on those weaknesses\n    would be redundant.\n\n    This is one of a series of reports being issued by the Inspector, General, DOD,\n    in accordance with an informal partnership with the Chief Information Officer,\n    DOD, to monitor DOD efforts to address the Y2K computing challenge. For a\n    listing of audit projects addressing this issue, see the Y2K webpage on IGNET\n    (at http://www.ignet.gov/ ).\n\n    Use of Computer-Processed Data and Statistical Sampling. We did not use\n    computer-processed data or statistical sampling procedures for this audit.\n\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from July through October 1997 in accordance with auditing\n    standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DOD.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DOD. Further details are available on request.\n\n\n\n\n                                       12\n\x0cAppendix B. Prior Coverage and Related\nPublications\n\nGeneral Accounting Office\n    The General Accounting Office has conducted several audits related to Y2K\n    issues. The audits are summarized below.\n\n    General Accounting Office Report No. AIMD-98-35 (OSD Case No. 1484),\n    \xe2\x80\x9cDefense Computers: Air Force Needs to Strengthen Year 2000\n    Oversight,\xe2\x80\x9d January 16, 1998. Congress requested the review of the\n    Air Force Y2K program. The review focused on Air Force oversight of its\n    Y2K program and the appropriateness of its strategy and actions for ensuring\n    that the Air Force will successfully address the Y2K problem. The Air Force\n    has taken a number of positive actions toward fulfilling its Y2K oversight\n    responsibilities. At the same time, the Air Force had not yet adequately\n    addressed several critical issues that would ensure that it is well-positioned to\n    deal with the later, and more difficult, phases of Y2K correction. The review\n    showed that some Air Force components are not adequately planning for the\n    testing phase of their Y2K effort and developing contingency plans. Some Air\n    Force components are also taking conflicting approaches toward determining the\n    actual impact of the program status to their system interfaces. If the Air Force\n    does not promptly address and take consistent action on those issues, it may\n    well negate any success it may have in making its systems Y2K compliant.\n    While the Air Force has enlisted the help of the Air Force Audit Agency to\n    address some of those concerns, the Air Force must continue its comprehensive\n    oversight to ensure that it can address unforeseen problems and delays in the\n    next, more difficult phase.\n\n    General Accounting Office Correspondence Report No. AIMD-9%7R (OSD\n    Case No. 1471), \xe2\x80\x9cDefense Computers: Technical Support Is Key to Naval\n    Supply Year 2000 Success,\xe2\x80\x9d October 21, 1997. The report states that Naval\n    Supply Systems Command had not allocated sufficient resources to the Fleet\n    Material Support Office Year 2000 Project Office to ensure that all systems\n    interfaces were identified and adequately monitored for progress. Also, Naval\n    Supply Systems Command had not directed that risk assessments be performed\n    or that contingency plans be prepared at the system and functional levels. As a\n    result of the concerns that the General Accounting Office raised, Naval Supply\n    Systems Command and Fleet Material Support Office officials have begun\n    addressing system interface issues by assigning full-time staff to identify date-\n    related data elements in interface files and to ensure that date formats are\n    compatible. The actions, together with Naval Supply Systems Command\xe2\x80\x99s\n    plans for requiring systems managers to perform risk assessments and develop\n    contingency plans for critical systems, should help mitigate the loss of\n    operational capability at the year 2000. As Naval Supply Systems Command\n    progresses to the renovation, validation (testing), and implementation phases of\n\n                                        13\n\x0cAppendix B. Prior Coverage and Related Publications\n\n      the Y2K program, it must pay continued attention to those issues to better\n      ensure that the year 2000 challenge is met. The Director, Test, Systems\n      Engineering and Evaluation, concurred with a draft of this report,\n\n      General Accounting Office Report No. AIMD-97-149 (OSD Case No. 1446),\n      \xe2\x80\x9cDefense Computers: Logistics Systems Support Center Needs to Confront\n      Significant Year 2000 Issues,\xe2\x80\x9d September 26, 1997. The report states that\n      while Y2K improvement efforts have been initiated by the Logistics Systems\n      Support Center on its Commodity Command Standard System program, the\n      Logistics Systems Support Center has not completed several key project\n      management actions associated with the assessment phase. As a result, the\n      Logistics Systems Support Center is not presently well-positioned to move to the\n      more difficult phases of renovation, validation, and implementation in the Y2K\n      process phases that industry experts estimate could consume as much as three-\n      fourths of Y2K project time and resources. The report recommends that the\n      Logistics Systems Support Center still needs to take a number of actions to\n      increase its chances of success, including managing competing workload\n      priorities, planning for testing, clarifying and coordinating written systems\n      interface agreements, and developing a contingency plan. To increase its\n      chances of successfully managing its Y2K program, the Logistics Systems\n      Support Center will also need to institutionalize a repeatable software change\n      process that can be used from project to project. Given the prominence of date\n      processing in the Commodity Command Standard System and its central mission\n      of sustaining the solider in the field, the Logistics Systems Support Center\n      cannot delay any longer, and must demonstrate that it will perform all the key\n      actions associated with sound Y2K planning and management. The Director,\n      Test, Systems Engineering and Evaluation, concurred with a draft of the report.\n\n      General Accounting Office Correspondence Report No. AIMD-97-120R\n      (OSD Case No. 1399), \xe2\x80\x9cDefense Computers: Standard Systems Group\n      Needs to Sustain Year 2000 Progress,\xe2\x80\x9d August 19, 1997. The report states\n      that the Standard Systems Group must further emphasize management and\n      oversight of systems interfaces to ensure successful implementation of Y2K-\n      compliant systems throughout its user community. Also, a number of Standard\n      Systems Group systems must use standard interface message formats to\n      exchange data that are defined by external entities outside the control of the\n      Standard Systems Group. Some of the message formats had not been finalized\n      by the organizations responsible for their definition. Recently, officials from\n      the Standard Systems Group\xe2\x80\x99s Year 2000 Project Office began addressing the\n      interface issue. If effectively implemented by the project office, the effort\n      should be a positive step toward preventing loss of operational capabilities\n      between the Standard Systems Group\xe2\x80\x99s internal and external systems\xe2\x80\x99 interface\n      message formats at the year 2000. The Air Force Director, Communications\n      and Information, concurred with a draft of the report.\n\n      General Accounting Office Report No. AIMD-97-112 (OSD Case No. 1395),\n      \xe2\x80\x9cDefense Computers: Improvements to DOD Systems Inventory Needed for\n      Year 2000 Effort,\xe2\x80\x9d August 13, 1997. The report states that while\n      improvement efforts have been initiated, the Defense Integration Support Tools\n      database will not be usable and reliable in time to have a beneficial impact on\n      Y2K correction efforts. The Defense Integration Support Tools contains the\n                                          14\n\x0c                      Appendix B. Prior Coverage and Related Publications\n\nDOD-wide inventory of automated information systems. The report\nrecommended investigation of all duplicate, inactive, and incomplete entries;\nexpedited development and implementation of the purging methodology; and\nexpansion of information contained in the database for individual systems to\ninclude key program activity schedules that managers of interfacing systems\nneed to ensure that their systems\xe2\x80\x99 interfaces are maintained during the\nrenovation phase. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) concurred with the recommendations and\nstated that DOD plans to take corrective action by performing statistical\nsampling of the Defense Integration Support Tools database to validate\naccuracy.\n\nGeneral Accounting Office Report No. AIMD-97-106 (OSD Case No. 1389),\n\xe2\x80\x9cDefense Computers: Issues Confronting Defense Logistics Agency in\nAddressing Year 2000 Problems,\xe2\x80\x9d August 12, 1997. The report states that\nthe Defense Logistics Agency had already assessed the Y2K impact on its\noperations; inventoried its systems; conducted pilot projects to determine Y2K\neffects on some of its major systems; and developed and issued policies,\nguidelines, standards, and recommendations on Y2K correction for the agency.\nThe Defense Logistics Agency had not prioritized the 86 automated information\nsystems that it plans to have operational in the year 2000 to ensure that mission-\ncritical systems are corrected first. In addition, the Defense Logistics Agency\nhad not developed contingency plans in the event that any of the systems cannot\nbe corrected on time. The report recommended that the Defense Logistics\nAgency complete signed, written interface agreements detailing data exchange\nmethods; develop a Y2K systems prioritization plan; and prepare contingency\nplans for all critical systems. The Under Secretary of Defense for Acquisition\nand Technology concurred with the recommendation on interface agreements\nand contingency plans but did not concur with the recommendation on systems\nprioritization, stating that the Defense Logistics Agency planning efforts and\nstrategy for renovating its systems are adequate. The Defense Logistics Agency\nis in the process of ensuring that documented agreements are prepared for all\ninterfaces requiring changes between their interface partners. Completion was\nexpected in September 1997. The Defense Logistics Agency is also in the\nprocess of preparing contingency plans within each business area focusing on\nthose systems that Y2K will affect. Initial plans were to be prepared by October\n1997.\n\nGeneral Accounting Office Report No. AIMD-97-117 (OSD Case No. 1392),\n\xe2\x80\x9cDefense Computers: Defense Finance and Accounting Service Faces\nChallenges in Solving the Y2K Problems,\xe2\x80\x9d August 11, 1997. The report\nstates that the Defense Finance and Accounting Service had developed a Y2K\nstrategy consistent with the DOD Y2K Management Plan and has defined\nconditions that automated information systems must meet to obtain certification\nas Y2K compliant. However, the Defense Finance and Accounting Service had\nnot identified all critical tasks for achieving Y2K objectives, established\nmilestones for completing all tasks, performed formal risk assessments of all\nsystems to be renovated, or prepared contingency plans in the event that\nrenovations are not completed in time or fail to operate properly. The report\nalso states that the Defense Finance and Accounting Service had not identified\nall system interfaces and had completed only 230 of 904 written agreements\n                                    15\n\x0cAppendix B. Prior Coverage and Related Publications\n\n      with interface partners. Further, the Defense Finance and Accounting Service\n      had not adequately ensured that testing resources will be available to determine\n      whether all operational systems are compliant before the year 2000. The report\n      recommended that the Defense Finance and Accounting Service identify Y2K\n      program actions and milestones, issue guidance to ensure continuity of\n      operations, identify external interfaces and obtain written agreements describing\n      the method of data exchange, and devise a testing schedule to ensure that all\n      systems can operate in a Y2K environment. The Under Secretary of Defense\n      (Comptroller) concurred with the recommendations. The Defense Finance and\n      Accounting Service agreed to update its existing Year 2000 Executive Plan and\n      its Corporate Contingency Plan. It also agreed to have all written interface\n      agreements with interface partners in place by September 30, 1997, and to fully\n      implement its certification process for ensuring that all systems are Y2K\n      compliant. Further, the Defense Finance and Accounting Service agreed to\n      devise a testing schedule that identifies the test facilities and resources needed\n      for performing proper testing of its systems in a Y2K environment.\n      General Accounting Office Publications. Among the publications that the\n      General Accounting Office issued relating to the Y2K problem are the Exposure\n      Draft (GAO/AIMD-10. 1.14), \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment\n      Guide,\xe2\x80\x9d February 1997; and the Exposure Draft (GAO/AIMD-10.1.17),\n      \xe2\x80\x9cYear 2000 Computing Crisis: Audit Program Guide,\xe2\x80\x9d June 1997. The\n      assessment guide provides a framework and a checklist for assessing the\n      readiness of Federal agencies to achieve Y2K compliance. The assessment\n      guide provides information on the scope of the challenge and offers a structured\n      approach for reviewing the adequacy of agency planning and management of the\n      Y2K program. The audit program guide provides information technology\n      system auditors with more detailed guidelines to use in reviewing individual\n      agency efforts in solving Y2K issues.\n\n\nInspector General, DOD\n      Inspector General, DOD, Report No. 98-065, \xe2\x80\x9cDOD Information Technology\n      Solicitations and Contract Compliance for Year 2000 Requirements,\xe2\x80\x9d\n      February 6, 1998. The review focuses on the compliance of DOD information\n      technology solicitations and contracts with Federal Acquisition Regulation\n      section 39.106, \xe2\x80\x9cY2K Compliance. \xe2\x80\x9d The report states that 20 of the reviewed\n      35 indefinite-delivery/indefinite-quantity and indefinite-delivery-requirement\n      information technology contracts (for commercial off-the-shelf products) did not\n      have the required Federal Acquisition Regulation Y2K compliance language,\n      and none of the 35 contracts required testing of purchased products. As a\n      result, DOD has no assurance that information technology products purchased\n      were Y2K compliant. Further, the purchase of noncompliant products may\n      seriously hamper the ability of DOD to perform its administrative and\n      warfighting mission requirements. Additionally, because 33 of the 35 contracts\n      are available for use by other Federal agencies, nonconforming contract items\n      could negatively affect the ability of the Federal Government to survive the\n      Y2K crisis. After the audit results briefing, the Acting Assistant Secretary of\n      Defense (Command, Control, Communications, and Intelligence) and the\n                                          16\n\x0c                      Appendix B. Prior Coverage and Related Publications\n\nDirector, Defense Procurement, drafted new guidance for the DOD Components\nthat would require Y2K-compliant information technology and testing of items\npurchased from the information technology contracts. The guidance was later\nsigned by the Acting Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence). In addition, Army, Navy, and Air Force\ncontracting officers completed the contract modifications to include the required\nFederal Acquisition Regulation Y2K language in 17 additional contracts. Three\nother Air Force contracts are being reviewed.\n\nInspector General, DOD, Report No. 98-074, \xe2\x80\x9cSharing Year 2000 Testing\nInformation on DOD Information Technology Systems,\xe2\x80\x9d February 12, 1998.\nThe review focused on whether planning for year 2000 testing is adequate to\nensure that mission critical DOD information technology systems will continue\nto operate properly after the year 2000. While DOD has designated the use of\nInternet homepages as the primary means of sharing year 2000 related\ninformation and DOD Components have made progress in establishing year 2000\ninformation on their respective homepages, the process for sharing year 2000\ntesting information can be more effective. The report states that DOD\nComponents may be expending time-sensitive resources inefficiently in solving\nthe year 2000 problem through the duplication of efforts and in attempting to\nlocate accurate testing information. Further, the ability to retrieve and use all\nappropriate testing information in a timely and efficient manner will be\ninstrumental in the solution of the year 2000 problem. The report\nacknowledged actions taken by the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) to establish a DOD-sponsored year\n2000 testing information center for collecting, analyzing, and disseminating year\n2000 related testing information, and initial efforts to provide a year 2000\nhotline service to the DOD Components. The report recommended that\nadditional action be taken to notify DOD Components of the testing center\xe2\x80\x99s year\n2000 role and responsibilities and of the DOD Components\xe2\x80\x99 responsibility to\nshare testing information. The report also recommended that DOD internet\nhomepages be organized to enable users to quickly and easily access the center\nfor year 2000 testing information.\n\n\n\n\n                                    17\n\x0cAppendix C. DOD Component August 1997\nReports\n                                                    Mission-      Five-Phase Management Process\n                                      Total         Critical    Assess- Reno- Vali-     Imple-\nDOD Component                        Systems        Systems      ment    vation dation mentation\n\nArmy                                 13,687           367        152      44         16       16\nNavy                                  1,970           289        68       54         5       28\nAir Force                             2,584           395        174      65        31         4\nJoint Staff                             302           169         17      59        37         1\nBallistic Missile\n Defense Organization                    75              37       16        1         1        0\nDefense Contract Audit Agency             1               1        0       0         0         0\nDefense Commissary Agency                36               7        1       2          1        3\nDefense Finance and\n Accounting Service                     186              91      24       45         2         0\nDefense Intelligence Agency             109           109        90        6         13        0\nDOD Intelligence Information\n System*                                109           109        46       26        25         0\nDefense Investigative Service             7               0        0       0         0         0\nDefense Information Systems\n Agency                                 339           106          0      56          1        5\nDefense Logistics Agency                333              14        0       6         6         0\nDefense Security Assistance\n Agency                                  11               4        0       3         0         1\nDefense Special Weapons Agency          115              10        1       0         0         2\nNational Imagery and Mapping\n Agency                                 222           175         19      40         0         0\nNational Reconnaissance Agency           27              27      24        3         0         0\nNational Security Agency              1,573         1,573      1,070     320        53       53\nOffice of the Assistant Secretary\n of Defense (Health Affairs)            112           112        27       15         6       24\nArmed Forces Information\n Services                                 0               0        0       0         0         0\nOn-Site Inspection Agency                41               0       0        0         0         0\nUnder Secretary of Defense for\n Acquisition and Technology              75               0        0       0         0         0\nWashington Headquarters Services    1 3 6             100      8        12         27       5\n  Total                             22,050          3,695      1,737    757        224      142\n*Portion centrally funded for the Armed Services.\n\n\n                                                    18\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition and Technology\n  Deputy Under Secretary of Defense (Acquisition Reform)\n  Deputy Under Secretary of Defense (Logistics)\n  Director, Defense Procurement\n  Director, Defense Logistics Studies Information Exchange\nUnder Secretary of Defense (Comptroller)\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nAssistant Secretary of Defense (Health AfYairs)\nAssistant Secretary of Defense (Public Affairs)\n\nJoint Chiefs of Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\nChief Information Officer, Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nAuditor General, Department of the Navy\nChief Information Officer, Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General. Deuartment of the Air Force\nChief Information dfficer, Air Force\n\nUnified Commands\nCommander    in Chief, U. S   European Command\nCommander    in Chief, U.S    Pacific Command\nCommander    in Chief, U.S.   Atlantic Command\nCommander    in Chief, U.S.   Southern Command\n\n                                              19\n\x0cAppendix D. Report Distribution\n\nUnified Commands (Cont\xe2\x80\x99d)\nCommander in Chief, U.S. Central Command\nCommander in Chief, U.S. Space Command\nCommander in Chief, U.S. Special Operations Command\nCommander in Chief, U . S . Transportation Command\nCommander in Chief, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Ballistic Missile Defense Organization\n   Chief Information Offricer, Ballistic Missile Defense Organization\nDirector, Defense Advanced Research Projects Agency\n   Chief Information Officer, Defense Advanced Research Projects Agency\nDirector, Defense Commissary Agency\n   Chief Information Officer, Defense Commissary Agency\nDirector, Defense Contract Audit Agency\n   Chief Information Officer, Defense Contract Audit Agency\nDirector, Defense Finance and Accounting Service\n   Chief Information Officer, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n   Inspector General, Defense Information Systems Agency.\n   Chief Information Officer, Defense Information Systems Agency\nDirector, Defense Legal Services Agency\n   Chief Information Officer, Defense Legal Services Agency\nDirector, Defense Logistics Agency\n   Chief Information Offricer, Defense Logistics Agency\nDirector, Defense Security Assistance Agency\n   Chief Information Officer, Defense Security Assistance Agency\nDirector, Defense Security Service\n   Chief Information Offker, Defense Security Service\nDirector, Defense Special Weapons Agency\n   Chief Information Officer, Defense Special Weapons Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nDirector, On-Site Inspection Agency\n   Chief Information Offker, On-Site Inspection Agency\nInspector General, Defense Intelligence Agency\nInspector General, National Imagery and Mapping Agency\n\nNon-Defense Federal Organizations and Individuals\nChief Information Officer, General Services Administration\nOffice of Management and Budget\n   Offke of Information and Regulatory Affairs\nTechnical Information Center, National Security and International Affairs Division, General\n   Accounting Offke\n\n\n                                               20\n\x0c                                                            Appendix D. Report Distribution\n\nNon-Defense Federal Organizations and Individuals (Cont\xe2\x80\x99d)\nDirector, Defense Information and Financial Management Systems, Accounting and Information\n   Management Division, General Accounting Office\n\nChairman and ranking minority member of each of the following congressional committees and\n  subcommittees:\n\n  Senate Committee on Appropriations\n  Senate Subcommittee on Defense, Committee on Appropriations\n  Senate Committee on Armed Services\n  Senate Committee on Governmental Affairs\n  House Committee on Appropriations\n  House Subcommittee on National Security, Committee on Appropriations\n  House Committee on Government Reform and Oversight\n  House Subcommittee on Government Management, Information, and Technology,\n    Committee on Government Reform and Oversight\n  House Subcommittee on National Security, International Affairs, and Criminal Justice,\n    Committee on Government Reform and Oversight\n  House Committee on National Security\n\n\n\n\n                                              21\n\x0cPart III - Management Comments\n\x0cOffice of Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence) Comments\n\n                     ASSISTANT SECRETARY OF DEFENSE\n                            6C00 D E F E N S E P E N T A G O N\n                           WASHINGTON.   DC    203016000\n\n                                 January 15, 1998\n\n\n\n\n    MEMORANDUM FOR DIRECTOR, ACQUISITION MANAGEMENT DIRECTORATE,\n                     OFFICE OF THE INSPECTOR GENERAL, DOD\n\n    SUBJECT:     Response to the Office of the Inspector General (OIG),\n                 DOD Draft Audit Report on Year 2000 Information\n                 Technology System Reporting Requirements,\n                 Project No. 7RE-6023, dated November 26, 1997\n\n\n         Thank you for the opportunity to review and comment on your\n    November 26, 1997, draft audit report on reporting requirements\n    for Year 2000 (Y2K) information technology systems.   We have\n    reviewed the report and agree that an update of the Department\n    of Defense (DOD) Year 2000 Management Plan is needed.   The\n    report recommended, in addition, that the DOD Components be\n    required only to report necessary and useful oversight\n    information.   Attached are my comments on the report\'s\n    recommendations along with some specific comments that respond\n    to several of the report\'s findings.\n\n         We appreciate the opportunity to work with the OIG audit\n    team and to exchange information on the Y2K project.   The audit\n    is helpful for ensuring that the D OD maintains a reliable\n    reporting mechanism that will satisfy the requirements of both\n    the Department and the oversight agencies to whom we report our\n    progress.  Also, the audit has highlighted areas where the\n    Department may improve the information collection process.\n    Please incorporate this memorandum, along with the attachment,\n    in the final audit report.\n\n\n\n\n    Attachment\n                                          r\xe2\x80\x9d\n                                       (Act\xe2\x80\x99 g)\n\n\n\n\n                                       24\n\x0cOffice of Assistant Secretary of Defense (Command, Control, Communications,\n                                                 and Intellkence) Comments\n\n                                                                              Final Report\n                                                                               Reference\n\n\n\n\n              Responms to the Office of the Inspector General (OIG)\n                            DoD Draft Audit Report on\n        nYear 2000 Information Technology Syatrrm Reporting Requirement@\n                  Project No. 7RR-6023, dated November 26, 1997\n\n\n       Recommendation 1:  The DoDIG recommended an update to the DOD\n       Year 2000 Management Plan reflecting changes in reporting              Unnumbered\n       requirements and including adequate procedures on how year 2000\n       quarterly reports should reconcile.\n\n       Reapones: Concur. Procedures for reporting progress each\n       quarter in evaluating and repairing automated information\n       systems (AISs) and devices controlled by information technology\n       have been widely disseminated through meetings and electronic\n       media. However, the Department agrees that revising the DOD\n       Year 2000 Management Plan would codify these informal\n       instructions into a single document.\n\n            The DOD Components have been participating with the DOD\n       Chief Information officer\'s staff in revising the Plan since\n       August 1997. Section 9. \xe2\x80\x98DOD System Inventory and Quarterly\n       Reporting Requirements," provides thorough instruction on\n       providing progress status in addressing the Year 2000 (Y2K)\n       problem, including directions on balancing the numbers that are\n       reported. Balanced data insures reliability of the information\n       DOD provides to Congress and others.   The Department has delayed\n       the publishing of the second edition of the Management Plan in\n       order to include revised requirements under development by the\n       Office of Management and Budget (OMB).   The revised Plan is\n       projected for publication in February 1998.\n\n       Recommendation 2; The OIG recommended that the reporting\n       requirements be revised for DOD Components to ensure that only         Deleted\n       necessary and useful oversight information is reported.\n\n       Respoasez Non-concur.   The Department understands that the\n       Components may find the currently required reporting onerous.\n       However, it has not been the intent of the Department to levy\n       reporting that is not needed. Most reporting requirements come\n       from Congress and OMB. Their interest and new requirements will\n       increase.\n\n            The information we are currently collecting will continue\n       to be required, along with additional information. For example,\n       the Office of Management and Budget (OMB) published their third\n       report "Progress on Year 2000 Conversion* in December 1997.\n\n\n\n\n                                      25\n\x0c               Office of Assistant Secretary of Defense (Command, Control, Communications,\n               and Intelligence) Comments\n\nFinal Report\n Reference\n\n\n\n\n                       That report accelerates target dates for completing renovation\n                       to September 1998 and implementation to March 1999.  Systems\n                       that cannot meet this schedule must be reported in upcoming\n                       quarterly reports. OMB is requiring independent verification of\n                       progress and has tasked the CIO Council to develop government-\n                       wide best practices in contingency planning. Data exchanges\n                       with States must be inventoried by February 1, 1998, and Federal\n                       agencies must communicate the precise format of the data\n                       exchanges and the timing of the change to the new format by\n                       March 1, 1998.\n\n                            None of the pre-existing OMB requirements have been\n                       rescinded. OMB has in preparation at this time, a draft letter\n                       which includes a requirement to provide more thorough\n                       information on efforts to fix non-mission critical system, data\n                       exchange information, the status of validation and contingency\n                       planning efforts, more extensive embedded chip data, and\n                       progress status in fixing other government-wide systems. Much\n                       of this information we are not yet collecting.\n\n                            Therefore, we find the OIG recommendation to minimize\n                       reporting requirements unattainable. External Y2K "reporting\n                       requirements" will increase.\n\n                       Additional Commenta:\n\nDeleted                Page 5, Year 2000 Information Technology System Reporting\n                       Requirements, last sentence:   "Additionally, the Chief\n                       Information Officer for DOD collects information not required by\n                       the Office of Management and Budget and which is of limited use\n                       for oversight purposes."\n\n                       Conment t There was no information collected from the Components\n                       for the third Quarterly Report to OMB that was not used in the\n                       report.  The only questionable information may stem from a data\n                       item on interfaces outlined on the reporting spreadsheets.   The\n                       Components were instructed to disregard the interface issues\n                       until my office provided improved guidance. None of the\n                       Components reported interface data.\n\n                       Page 6, Component Quarterly Reports, sentences 2 and 3:   "The\nPage 5                 CIO staff believed that the reports for the second quarter were\n                       substantially more complete and accurate because the DOD\n                       Components better understood the reporting requirements.\n                       However, our analyses of the reports for the second quarter did\n                       not confirm that belief."\n\n\n\n\n                                                                                          2\n\n\n\n\n                                                      26\n\x0cOffice of Assistant Secretary of Defense (Command, Control, Communications,\n                                                 and Intellkence) Comments\n\n                                                                               Final Report\n                                                                                Reference\n\n\n\n\n       comment I  The next paragraph, Completeness of Reports, indicates\n       that the CIO staff was correct: the Components did show\n       improvement in their submittals. Those Components who provided\n       data that was "incomplete" did not report embedded chip\n       information.   This information is more difficult to accumulate\n       and verify. Also, the five DOD Components who did not submit a\n       report, but requested that the DIST be used to generate their\n       reports were compliant with the DOD reporting requirement in\n       making this request.\n\n       Paga  0, Usefulness of Required Data: \'We concluded that some\n       data that CIO required was of little use for oversight purposes.\n                                                                               Deleted\n       Although the primary concern of OMB personnel was mission\n       critical systems, they also required a brief narrative\n       summarizing progress made in other infrastructure systems that\n       relied on embedded microchips, such as elevators, security\n       systems, and biomedical devices. Within the infrastructure\n       reporting category, the CIO requires Components to report\n       personal computers, file servers, and communications hardware\n       and software modules."\n\n       Comment : The DOD CIO asked for a one-line entry for each of\n       these devices not associated with an AIS. All must be checked\n       for Y2K compliance. It.is part of the oversight process to\n       accumulate the information that they have been checked and what\n       their Y2K status is. There is not an inventory of the total\n       number of DOD personal computers and network components or of\n       the total number of bio-medical devices. The fact remains,\n       however, that this equipment must be evaluated for Y2K\n       compliance.  The Single Agency Manager for our organization\n       acceptance tests each new personal computer as it is delivered\n       and has found that 30% or more of these new deliveries are non-\n       compliant.\n\n\n\n\n                                                                           3\n\n\n\n\n                                      27\n\x0cAudit Team Members\n\nThis report was prepared by the Acquisition Management Directorate, O&e of the\nAssistant Inspector General for Auditing, DOD.\n\nThomas F. Gimble\nPatricia A. Brannin\nMary Lu Ugone\nJames W. Hutchinson\nTimothy J. Harris\nMaria R. Palladino\n\x0c'